TCP Port 25 Restriction Description

Overview

TCP Port 25 is commonly used as the default port for the Simple Mail Transfer Protocol (SMTP), which manages email-sending functions. Baidu AI Cloud EIPs block TCP egress on Port 25 by default for the following key reasons:

1. Prevent spam transmission

• Issue: An open Port 25 can be abused by malicious actors to send large volumes of spam emails from the server.
• Impact: This not only disrupts email recipients but can also lead to the server's IP addresses being blacklisted globally. As a result, emails from legitimate users may also fail to reach their destination.

2. Reduce network attacks

• Issue: Port 25 is frequently targeted in network attacks, such as DDoS attacks and botnet activity.
• Impact: Such attacks may destabilize servers, cause service outages, and lead to potential data leaks or data corruption.

3. Ensure network quality

• Issue: Unrestricted email traffic might heavily consume network bandwidth.
• Impact: This can degrade overall server network performance, negatively affecting the service experience for other customers.

Solution overview

Users can switch to other email transmission ports:

• Port 587: Commonly referred to as the "submission" port, Port 587 is designed for mail submission from client to server and is supported by most modern mail servers.
• Port 465: While originally designated for SMTPS (SMTP with SSL), this port has since been deprecated. However, many services continue to support it as an encrypted SMTP port.

This document uses Port 587 as an example for providing configuration guidelines.

Configuration steps

Modify mail server configuration

Taking Postfix as an example, encryption can be implemented through the following steps:

Step 1: Verify that the required encryption libraries are installed. On most Linux distributions, this can be done by installing OpenSSL.

Step 2: Enable Port 587 in /etc/postfix/master.cf:

1submission inet n       -       y       -       -       smtpd

Step 3: Set up TLS parameters in the /etc/postfix/main.cf file:

1smtpd_tls_security_level = may
2smtpd_tls_auth_only = yes
3smtpd_tls_key_file = /etc/ssl/private/mailserver.key
4smtpd_tls_cert_file = /etc/ssl/certs/mailserver.pem
5smtpd_tls_loglevel = 1
6smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

Configure smtpd_tls_key_file and smtpd_tls_cert_file with the paths to the SSL certificate and private key. Users can use either self-signed certificates or certificates issued by a trusted Certificate Authority (CA).

Step 4: Restart Postfix.

1sudo systemctl restart postfix

Email client configuration

After completing the server-side setup, the client-side configuration must also be updated accordingly.

Taking Thunderbird as an example:

Step 1: Access Account Settings.

Step 2: Select the email account, then navigate to Outgoing Server (SMTP).

Step 3: Choose the SMTP server and click "Edit".

Step 4: Update the port to 587 and choose STARTTLS as the encryption protocol.

Step 5: If the server utilizes a self-signed certificate, you may receive a warning on the first connection. Confirm the certificate and select the option to accept it permanently.

Unblock request

For special scenarios requiring TCP Port 25 for external connections on Baidu Cloud Compute, refer to https://cloud.baidu.com/doc/EIP/s/Qlw1vnygl

Related products

Baidu Cloud Compute (BCC) and EIP,EIPGROUP